bitbof
commented
1 year ago That is a false positive by CodeQL. It relates to the text tool. In its text renderer it creates a string with the user input (to calculate its dimensions). This string is then assigned to textContent, which is safe. https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent#differences_from_innerhtml
satopian
When I run a code scan on GitHub, I get a report that there is one vulnerability in Klecks.
Since it is a report of CodeQL, which is GitHub's standard code scanning function, if security scanning is enabled on the current repository, the repository owner will be able to see a detailed report. I'm not sure if GitHub's security scan report is an issue that can be ignored or if it should be fixed.